New Zealand has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

Under the Copyright (New Technologies) Amendment Act 2008, Internet service providers (ISPs) are not liable simply because a user infringes a copyright (Section 92B). However, ISPs may face liability for copyright infringement if they store infringing material with specific knowledge of the infringement, or if they cache it and do not immediately delete or make it unavailable upon notice (Sections 92C and 92E).
The decision by the Supreme Court of New Zealand in Ortmann, van der Kolk, Batato, Dotcom v. USA and Anor (2020) NZSC 120 extends civil liability into a criminal penalty against ISPs. The decision ruled that Section 131 of the Copyright Act, which sets out criminal offences in relation to copyright works, encompasses online dissemination of digital copies. As a result, it has been opined that Internet service providers are now potentially subject to criminal sanctions in the course of their day-to-day activities. New Zealand Law Society states that "ISPs in New Zealand, and overseas ISPs providing services to New Zealanders, will obviously be concerned as to the extent of their potential criminal liability in this country for users infringing copyright online. It is not unrealistic to imagine this could have an impact on the availability of online services for New Zealanders."
An "ISP" under the Copyright Act means an entity which (a) offers the transmission, routing, or providing of connections for digital online communications, between or among points specified by a user, of material of the user’s choosing, or (b) hosts material on websites or other electronic retrieval systems that can be accessed by a user (Section 4).

The Harmful Digital Communications Act 2015 establishes a safe harbour regime for intermediaries beyond copyright infringement. Section 24 provides a process for an Internet service provider to obtain protection against liability for specific content. However, the lack of the process specified in Section 24 does not itself create any civil or criminal liability for hosting the illegal content (Section 23).

Under Reg. 14A(2) of the Russia Sanctions Regulations 2022, New Zealand prohibits the import of luxury goods of Russian origin. Since April 2023, following the insertion of Reg. 14A(2A) and the replacement of Schedule 1A by the Russia Sanctions Amendment Regulations (No. 4) 2023, the prohibition applies differently across categories of luxury goods. According to Schedule 1A, Part 2, the prohibition includes personal consumer electronics under HS codes 8524 and 8528.72.00 with a customs value above NZD 1,000 (approx. 585 USD).

The export of goods, software, and technology listed in the New Zealand Strategic Goods List (NZSGL) is prohibited unless the exporter obtains the consent or approval of the Secretary of Foreign Affairs and Trade. New Zealand implements these export controls through the Customs Export Prohibition (Strategic Goods) Order 2021, issued under Art. 96 of the Customs and Excise Act 2018.
The NZSGL covers electronics, computers, telecommunications, and information security. The October 2025 NZSGL, which replaced the November 2024 version, introduced additional national controls on certain dual-use technologies, particularly in materials processing, electronics, and computers.

Under Reg. 13(1) of the Russia Sanctions Regulations 2022, New Zealand prohibits New Zealand persons from exporting, directly or indirectly, to, for use in, or for the benefit of Russia or Belarus, any assets listed in Schedule 3. Schedule 3 covers a broad range of ICT-related and dual-use goods, including automatic data-processing machines and related units, such as portable computers, processors and processing units, input or output units, storage units, and other data-processing equipment, as well as telecommunications equipment, transmission apparatus, semiconductor devices, electronic integrated circuits, and electronic micro-assemblies.
The Russia Sanctions Amendment Regulations (No. 13) 2022 replaced Schedule 3 and retained HS codes relevant to computers, telecommunications, and electronic components, including headings and subheadings under 8471, 8517, 8541, and 8542. In 2024, New Zealand further strengthened this measure by targeting sanctions evasion, including indirect exports of restricted goods to third countries where the goods are subsequently exported to, or used in, Russia or Belarus.

Self-certification is permitted for radio transmission, electromagnetic interference (EMI), and electromagnetic compatibility (EMC). Foreign companies are authorised to self-certify compliance with these standards through a Supplier Declaration of Conformity (SDoC). Registration of the equipment with the regulatory authority is not required, nor is testing by an accredited laboratory mandatory. When testing is conducted, the selection of the testing laboratory is at the discretion of the supplier or manufacturer.
It is further noted that suppliers may undertake these procedures; however, for Group 2 ISM equipment and telecommunications terminal equipment (TTE), the testing facility must be accredited by International Accreditation New Zealand (IANZ) or by an accreditation body with a mutual recognition arrangement with IANZ.
For some high-risk products, the government may require approval from a recognised organisation or agency before they can be supplied in the country.
Radiocommunications (Compliance) Notice 2020 describes the different levels of conformity for products, including the level of testing and documentation as well as product labelling requirements. It also describes the requirements for the Declaration of Conformity.
Radiocommunications (Radio Standards) Notice 2020 describes the performance standards required for different classes of radio products. The notice also assigns the level of conformity applied to the products covered by each standard.
Radiocommunications (EMC Standards) Notice 2019 describes the performance standards that electrical and electronic products (other than licensed radio transmitters covered by the Radio Standards Notice) must meet.
New Zealand has a mutual recognition agreement with Australia, which provides some SDoC exemptions. Products supplied in accordance with the Radiocommunications Regulations (Mutual Recognition: Australia) Notice 2008 do not need to have a New Zealand declaration of conformity.

Under the Telecommunications (Interception Capability and Security) Act 2013 (TICSA), network operators must notify the Government Communications Security Bureau (GCSB) of proposed decisions, actions, or changes to public telecommunications networks that fall within specified security interests before they are implemented. The GCSB assesses whether the proposal raises network security risks and may require mitigation measures. If a proposal raises a network security risk that exceeds minimal levels, the operator must not implement it unless the risk is prevented or sufficiently mitigated. In 2018, the GCSB assessed Spark’s proposal to deploy Huawei 5G Radio Access Network equipment and identified significant national security risks, which meant Spark could not implement it under TICSA. Although New Zealand has not adopted a general statutory ban on Huawei equipment, the TICSA framework gives the GCSB case-by-case powers to assess and restrict network changes that may affect national security. Subsequent 5G deployments by major operators, including Spark and Vodafone New Zealand, have relied on suppliers such as Nokia.

Under Section 22.2BA of the Tax Administration Act (TAA) and Section 75.3BA of the Goods and Services Tax Act (the GST Act), taxpayers in New Zealand are legally required to retain business and GST records within the country, whether in physical or electronic form. However, the Commissioner of Inland Revenue (CIR) may, under Section 22.8 of the TAA and Section 75.6 of the GST Act, exercise discretion to authorise offshore storage of such records. According to Revenue Alert 10/02, the CIR maintains that compliance with statutory record-keeping obligations necessitates the physical storage of primary business records in data centres located within New Zealand. Consequently, taxpayers using cloud computing services must ensure that their primary records are stored domestically, although the use of offshore cloud services for backup purposes is permissible, provided the primary records remain in New Zealand.

Section 189 of the Companies Act stipulates that companies must retain the following records at their registered office in New Zealand: the company’s constitution; resolutions and minutes of meetings of directors and shareholders; all written communications to shareholders and any share certificates issued; the register of directors; the register of directors’ interests; directors’ certificates; the share register; and the company’s financial statements together with its tax and accounting records.

The new Privacy Act 2020, which entered into force in December 2020, creates a conditional flow regime. Information Privacy Principle 12 in Section 22 of the Act governs cross-border data transfer. A business or organisation may only disclose personal information to another organisation outside New Zealand if the receiving organisation:
- is subject to the Privacy Act because they do business in New Zealand;
- is subject to privacy laws that provide comparable safeguards to the Privacy Act - or they agree to protect the information in such a way (e.g., by using model contract clauses), or
- is covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government.
If none of these conditions is satisfied, a business may only make a cross-border disclosure with the permission of the data subject.
This regime does not apply to an overseas organisation that holds or processes on the business's behalf (e.g., cloud service providers).
Still, despite the IPP 12, a business may make a cross-border disclosure in urgent circumstances where it is necessary to maintain public health or safety or for the maintenance of the law.
This regime does not affect or limit other New Zealand law that regulates the availability of personal information (Section 24).

New Zealand has joined several agreements with binding commitments to open transfers of data across borders. These include: the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, Art. 14.11), the Protocol to Amend the Agreement between Singapore and New Zealand on a Closer Economic Partnership (Art. 9.10), the Digital Economy Partnership Agreement Between Singapore, Chile and New Zealand (DEPA, Art. 4.3), the Free Trade Agreement between the United Kingdom of Great Britain and Northern Ireland and New Zealand [Art.15.4(2)], the EU-New Zealand Free Trade Agreement (Chapter 12, Art. 12.4), and the Protocol to the Digital Economy Partnership Agreement (Art. 5)

The Privacy Act 2020 provides a comprehensive data protection regime in New Zealand. It repeals and replaces the Privacy Act 1993 and contains 13 Information Privacy Principles (IPP) that govern the use of personal information in the country. The Act requires agencies to appoint at least one privacy officer, report data breaches that cause or are likely to cause serious harm, and provide data subjects with both the right to access and the right to request correction of their personal information. In addition, the new IPP 12 provides that an organisation or business may disclose personal information to an agency outside New Zealand only if the receiving agency is subject to safeguards similar to those in the Act. Also, the Act introduces new criminal penalties, punishable with fines of up to NZD 10,000 (approx. USD 6,000) and allows the Office of the Privacy Commissioner of New Zealand to issue compliance notices and enforceable access directions.

The Privacy Act 2020 provides that "[a]n agency must appoint as privacy officers for the agency one or more individuals" (Section 201).

Trade secrets are not protected under a dedicated statutory civil regime in New Zealand, but they may be protected through contractual arrangements and common law actions for breach of confidence. Under Section 230 of the Crimes Act 1961, the misappropriation of a trade secret, with intent to obtain a financial or economic advantage or to cause loss to another person, constitutes a criminal offence punishable by up to five years’ imprisonment. In addition, Section 249 criminalises accessing a computer system for a dishonest purpose to obtain property, which may apply to digital files and is punishable by up to seven years’ imprisonment.
Confidential commercial information held by public authorities may also be protected from disclosure under the Official Information Act 1982, including where disclosure would reveal trade secrets or prejudice commercial interests.